Hackers used packet sniffers to filch credit card data

Three scammers were using packet sniffers to harvest credit card numbers from …

Scammers were able to spend hundreds of thousands of dollars using credit cards numbers stolen from various Dave & Buster's locations across the US. It may not be the largest data theft in history, but the three men responsible for the heist have been caught over the last year, while the case itself was only made public this week.

Two of the men, Maksym "Maksik" Yastremskiy and Aleksandr "JonnyHell" Suvorov are held on 27 counts including aggravated identity theft, unauthorized computer access involving an interstate communication, and interception of electronic communications. According to court documents seen by Ars Technica, Yastremskiy and Suvorov "made materially false representations" to gain access to the server rooms in eleven of Dave & Buster's 50 US locations. The sniffers they installed logged credit card information between April and September 2007 as it was sent from branch locations to corporate headquarters, capturing around 5,000 card numbers from one New York location alone.

The third man, Albert Gonzalez, wrote the packet sniffing software the other two used and was captured in Miami, FL within the last two weeks. Gonzalez faces one count of wire fraud conspiracy.

Gonzalez's software apparently didn't work very well, as it had a bug that would prevent it from starting up whenever a machine had to be rebooted. This forced Yastremskiy and Suvorov to return to the compromised machines in order to restart the packet sniffers manually, a move that likely led to their arrests.

According to a statement filed by Special Agent Matthew Lynch in the case, Yastremskiy "was one of the biggest resellers of stolen credit card data targeted by the United States Secret Service." The information he and Suvorov collected was sold to other scammers who typically used it for purchases at online merchants.